Default provisioning template has SELinux set to permissive
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1100582
Cloned specifically for the Katello component. The SELinux setting in the default Katello Kickstart file is set to permissive, but should be enforcing.
May be blocked on bug #1100367 which will update the services in Foreman's kickstart so iptables etc are enabled after provisioning.
Description of problem:
Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; )
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Provision guest with these provisioning templates (or just inspect them):
Kickstart RHEL default
Katello Kickstart Default for RHEL
Not all issues are found in all templates, but what I consider most important: * system is not registered automatically * SELinux in permissive * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed
After installation, system should be registered by default.
SELinux should be in enforcing
At least ip*tables services should be running with sane configuration
Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)
Fixes #6246, bz1100582 - Services mods for KS templates
Some of the services like sendmail,cups,pcmcia were unecessarily
disabled. Removing them from being disabled.